Here we go again.
""It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment."
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
wget has been fixed with v1.16.
I presume this security patch will flow through soon?
""It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment."
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
wget has been fixed with v1.16.
I presume this security patch will flow through soon?
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
Yes you are right. Only for shell access accounts. But it could really screw up something if you happen to use wget and end up at a vulnerable site.
"Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. " -
Accepted Answer
Just came across this on a CentOS News Group
Re: [CentOS-announce] CESA-2014:1764 Moderate CentOS 6 wget Security Update
On 10/31/2014 06:53 AM, Johnny Hughes wrote:
>
> CentOS Errata and Security Advisory 2014:1764 Moderate
>
> Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1764.html
Note to CentOS 5 users. RedHat does not plan to release a fixed wget
for EL5. You can mitigate this vulnerability by adding the following
line to the bottom of /etc/wgetrc:
retr-symlinks=on
Doing so will basically accomplish exactly the same thing that this
update does.
Peter
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »